#include <tunables/global>

/usr/sbin/dnsmasq {
  #include <abstractions/base>
  #include <abstractions/nameservice>

  capability net_bind_service,
  capability setgid,
  capability setuid,
  capability dac_override,
  network inet raw,

  /etc/dnsmasq.conf r,
  /etc/dnsmasq.d/ r,
  /etc/dnsmasq.d/* r,
  /var/lib/dnsmasq/ r,
  /var/lib/dnsmasq/block.hosts r,
  /etc/dnsmasq.d-available/ r,
  /etc/dnsmasq.d-available/* r,

  /usr/sbin/dnsmasq mr,

  /{,var/}run/*dnsmasq*.pid w,
  /{,var/}run/dnsmasq-forwarders.conf r,
  /{,var/}run/dnsmasq/ r,
  /{,var/}run/dnsmasq/* rw,

}
